Third-party assessments are a kind of workflow that help you understand how the data and security practices of your vendors, contractors, or other external partners might affect your own privacy program. Each assessment contains one or more workflows, either from your org's own library or from Google's open-source library, and can be sent to one or more external recipients using an access-controlled invitation.
Gaining a clear understanding of an external partner's privacy practices often requires you to gather information from more than one person, so TerraTrue's third-party assessments allow you to bundle several workflows into a single invitation that you can send to multiple people. Everyone who receives that invitation will collaborate on the same response, but each person can focus on the workflow that best suits their area of expertise.
You can view and manage your invitations, responses, and comments at Third Parties > Third Party Assessments > Invitations. To create, edit, or delete the individual workflows that are bundled into third-party assessments, visit the Third party Assessment Library .
Inviting external partners to a third party assessment
Invitations are created and managed at Third Parties > Third Party Assessments > Invitations> New Invitation . To build a new invitation, click New Invitation.
-
Choose or enter a third party.
Select which third party will receive your invitation. You can choose from your organization's database of third-party partners, or to enter a new third party. -
Add workflows to your invitation.
Choose one or more workflows from your org's workflow library to include in your assessment. If your workflow library is empty, you'll be asked to select one or more items from Google's open-source Vendor Security Assessment Questionnaires. To create new workflows or modify your library, see Creating and managing third party assessments. - Optionally link a launch.
-
Enter your recipients.
- Choose from third party contacts OR
- Add the names and email addresses of the people who will receive your invitation.
-
Add a message to your recipients.
This message will appear in an email to each recipient, and can be a helpful way to provide guidance.
For security reasons, invitations expire after a period of time. By default, the access period for invitations is 30 days. Admins can adjust that period to be anywhere between 1 day and 90 days by visiting Third Parties > Third Party Settings > Invitations.
You can enable reminder notifications for third parties on invitations.
Creating and managing third party assessments
In Third Parties > Third Party Assessments > Assessment Library, select Create. Give the assessment a name, description, allow users to flag questions for later, enable risk scoring, and click Confirm to enter the builder.
Creating a third-party assessment is nearly identical to creating any other workflow. You can create pages and questions, add display conditions for individual questions, and configure risk scoring. You'll also have the ability to preview your work before publishing.
You can create third-party assessments from scratch, or import Google's open-source Vendor Security Assessment Questionnaires by clicking Import Google VSAQ. Doing so will add four new workflows to your library, all of which can be edited in TerraTrue:
- Web Application Security Questionnaire
- Security & Privacy Program Questionnaire
- Infrastructure Security Questionnaire
- Physical & Datacenter Security Questionnaire
Using taxonomy questions in third party assessments
Taxonomy questions are useful for collecting answers in the form of structured data, since they ask users to respond by selecting one or more items from one of your org's existing taxonomies in Third Parties > Third Party Assessment Library > Assessment > Builder. (Taxonomies are databases of information pertaining to how your org uses data. Some common TerraTrue taxonomies are data types, data uses, third parties, processing locations, and retention periods. TerraTrue provides a robust set of default taxonomies, but administrators in each org can also customize these taxonomies with their own items.)
It's important to remember that sending a taxonomy question to a third-party user will allow that user — and anyone else who has access to the secure assessment link — to see all of your org's taxonomy items of the type included in the question. If, for example, you ask a third-party user to select an answer from your org's taxonomy of data uses, the recipient will be able to see every data use that your org has stored in that taxonomy — including TerraTrue's default items and your org's custom items. The recipient would not be able to see any other taxonomy types — such as retention periods or processing locations — unless you were to send them a taxonomy question that uses that particular taxonomy type.
Responding to third party assessments
Third-party users will be emailed a link to their assessment. This link is unique for everyone that receives the invitation. If anyone is erroneously included in the invitation, revoking their invitation will prevent them from accessing the assessment without disrupting access for anyone else included in the invitation.
Clicking the link in their email will take the respondent to a landing page where they will see a list of all of the workflows they need to complete. Progress is saved from page to page, and responses can be edited after completion.
When each workflow in an assessment is completed, both the person who sent the invitation and the person who completed each workflow will receive a confirmation email with a link to view the response.
Commenting on third party assessments
You may view responses and comment on a assessment in the third party invitation.
Third party assessments allow you to send messages back and forth within the platform if any questions arise. When the invited third party leaves a comment on the assessment, an email notification will be sent to the user who invited the third party to the assessment.
Linking third party assessments to launches
Linking third parties to a launch helps you track third party reviews with your review teams by providing notifications. You may do this on any launch and child launch.
Third Party Reassessments
Depending on your org and third party risk, you may need to complete an assessment on a regular cadence. TerraTrue helps you set up a reassessment of an third party in a Third Party Profile with the ability to create a launch or child launch for an upcoming reassessment.
To do this, click on + Schedule a reassessment on the right hand corner and fill out the details of the reassessment launch creation action.
Notes: Launches will not automatically adopt the launch type (third party) and the third party since third party launch type may not be set up. To have this automatically be linked, please create a child launch for a launch that already uses the third party launch type and associates it with the third party. The child launch will adopt the parent launch's attributes.
TerraTrue also stores your past reassessments for review. To find this, toggle from upcoming to past on the right hand container select option.